Grant rights to reset multifactor authentication

Resetting multifactor authentication (MFA) is a common everyday operation that you may want to delegate to other users. For example, you can allow the helpdesk to reset MFA for employees from specific offices, or allow department managers to reset MFA of their direct reports.

There are two types of multifactor authentication that you can reset via Adaxes:

• Secondary authentication methods in Microsoft 365
• Authenticator apps used for Adaxes web interface sign-ins or password self-service

To delegate MFA reset, you need to grant users permissions to do so. Permissions in Adaxes are always granted using security roles. While the permissions to reset both MFA types are bundled together, you can restrict which options are available by configuring the Reset multifactor authentication operation in the web interface.

In this tutorial, you will learn how to add permissions to reset MFA to an existing security role and adjust which MFA types can be reset in the web interface.

1. Launch Adaxes administration console.

    How

   • On the computer where Adaxes administration console is installed, open Windows Start menu.

   • Click Adaxes Administration Console.

2. Expand Adaxes service \ Configuration \ Security Roles and select the security role you want to modify.

3. In the Permissions section on the right, click Add.

4. In the Add Permissions dialog, do the following:

   • In the list of object types on the left, select User.

   • In the General permissions section, select the Reset Multifactor Authentication permission in the Allow column.

   • Click OK.

5. Click Save changes.

Configure web interface operation

Out of the box, the Reset multifactor authentication operation in the web interface allows the user to choose which MFA to reset – Microsoft 365, Adaxes, or both.

Instead of letting users decide, you can configure the operation to always reset both MFA types or limit it to a single predefined type.

1. Open Adaxes web interface configurator.

    How

   • On the computer where web interface configurator is installed, open Windows Start menu.

   • Click Adaxes Web Interface Configurator.

   To configure the web interface, you need to have the appropriate permissions.

    Permissions

   The permissions to configure the web interface are delegated via security roles. By default, only service administrators have the appropriate permissions. To enable other users to configure the web interface, grant them the corresponding permissions.

   To create a security role that grants the permissions to configure web interface:

   • In Adaxes administration console, right-click your Adaxes service, point to New and click Security Role.

   • Enter a name for the new security role and click Next.

   • On the Permissions step, click the down arrow embedded into the Add button and click Configure Web Interface.

   • Click Next and follow the steps in the wizard.

2. In the top left corner, select the web interface you want to customize.

3. In the left navigation menu, click Management.

4. In the Operations section, select Reset multifactor authentication.

5. Activate the Configuration tab and customize the operation.

6. Save the changes.

   Section settings can be applied to other web interface configurations. Click the down arrow button in the top right corner of the section and then click Apply to other web interfaces.

    View screenshot

Reset MFA from the Actions pane

It is also possible to reset multifactor authentication from the Actions pane in Adaxes web interface. Actions can have separate configurations that override the default operation settings.

For example, this can be helpful if you want to create two separate actions for different user groups – one that allows to choose which MFA to reset, and another that always resets MFA in Microsoft 365.

For more details, see Configure Actions pane.

Multifactor authentication card

The web interface Home page has a card that allows users to reset a mobile authenticator app (Google Authenticator, Authy, Okta Verify, etc.) they activated as a second authentication factor for Adaxes web interface sign-ins or Adaxes self-service password resets.

No special permissions are required to reset personal Adaxes MFA via this card. As long as a user is signed-in and the card is enabled, they can use it. Out of the box, the card is enabled only in the Self-service web interface.

 How to enable the Multifactor authentication card

• Open Adaxes web interface configurator.

• In the top left corner, select the web interface you want to customize.

• In the left navigation menu, click Home page.

• In the Cards section, select the checkbox next to Multifactor authentication.

• Save the changes.

For more details about configuring the Home page, see Customize the Home page.

Reset MFA using a custom command

Sometimes, resetting multifactor authentication is just one step in a larger workflow that must be completed when a user loses their phone. Instead of performing each step manually, you can create a custom command that contains all the necessary actions and logic.

This approach also gives you more precise control over permissions. Rather than granting access to run every step in the workflow, users only need the permissions to run the custom command itself.

• For details about creating custom commands, see Create custom command.
• For information on how to grant rights to execute custom commands, see Grant rights to execute custom commands.

Automatically reset MFA using a script

Sometimes the logic required to decide which multifactor authentication to reset and whether to reset it at all is more complex than what you can configure with conditions.

You might also already have a script that performs multiple related tasks, in which case it makes more sense to integrate the MFA reset into that script rather than add it as a separate action.

To execute a PowerShell script in a business rule, custom command or scheduled task, add the Run a program or PowerShell script action to it.

 How

• Launch Adaxes administration console.

• Select a business rule, custom command or scheduled task.

• Click Add new action set.

• Right-click Do nothing and then click Add Action in the context menu.

• In the Add Action dialog, select Run a program or PowerShell script.

• To open the script editor, click the Edit button.

• If a script is executed in a business rule and its execution can take a long time, it is recommended to run the script asynchronously. To do it, select the Execute asynchronously option.

  If the option is selected, the business rule will not wait until the script is finished, and as a result, users will not wait long until the operation completes. Take into account that if an error occurs during asynchronous execution of a script, it will not be displayed in the Execution Log of the operation.

• Click the button to provide a custom description for the action.

To get the target object of the custom command, business rule, or scheduled task, you can use a variable called $Context. It is a predefined PowerShell variable of type ExecuteScriptContext.

# Reset MFA in Microsoft 365.
$user = $Context.TargetObject
$user.ResetMfa($null, $true)

You can also reset MFA of several accounts in the same script. All user objects in Adaxes implement the IAdmResetMfa interface. To use this interface, you need to bind to an object whose multifactor authentication you want to reset.

$accountDNs = @(
    "CN=John Smith,CN=Users,DC=example,DC=com",
    "CN=Jane Doe,CN=Users,DC=example,DC=com",
    "CN=Michael Brown,CN=Users,DC=example,DC=com",
    "CN=Emily Davis,CN=Users,DC=example,DC=com",
    "CN=Robert Johnson,CN=Users,DC=example,DC=com"
)

foreach ($accountDN in $accountDNs) {
    
    # Bind to an account.
    $account = $Context.BindToObjectByDN($accountDN)

    # Reset MFA in Microsoft 365 and Adaxes.
    $apps = $account.GetApplicationsUserEnrolledIn()
    $account.ResetMfa($apps, $true)
}

Finally, you can reset multifactor authentication via REST API. This can be helpful if you need to initiate MFA reset from a third-party applicaiton that can run scripts. For more details, see the REST API Overview and the Reset multifactor authentication request.

---